Machine Learning for Offensive Security: Sandbox Classification Using Decision Trees and Artificial Neural Networks
This work provides a domain-specific application of machine learning for offensive security teams, offering practical insights into real-world usage.
The paper tackled the problem of detecting sandboxes in offensive security operations by using decision trees and artificial neural networks on process list data from phishing emails, achieving successful classification to avoid unsafe execution.
The merits of machine learning in information security have primarily focused on bolstering defenses. However, machine learning (ML) techniques are not reserved for organizations with deep pockets and massive data repositories; the democratization of ML has lead to a rise in the number of security teams using ML to support offensive operations. The research presented here will explore two models that our team has used to solve a single offensive task, detecting a sandbox. Using process list data gathered with phishing emails, we will demonstrate the use of Decision Trees and Artificial Neural Networks to successfully classify sandboxes, thereby avoiding unsafe execution. This paper aims to give unique insight into how a real offensive team is using machine learning to support offensive operations.